Add keyring linking API placeholders for multi-key scenarios. (!586) · Merge requests · cryptsetup / cryptsetup

Daniel Zaťovič requested to merge daniel.zatovic/cryptsetup:empty-linking-api into main Dec 18, 2023

Add API placeholders for keyring linking and keyslot context activation of devices under encryption, which may have two volume keys. The API does not work yet, it is just a placeholder for rc1 release (that API shouldn't change after rc1 release).

The pitfall with this proposal is activating a device in re-encryption via keyslot context. In such cases, the user may supply fewer keyslots than required. Ordinarily we use -EPERM to tell the user that the key was incorrect/incomplete. However, we may want to distinguish the situation when the key was incorrect and when another valid volume key is required. We may use the -ENOKEY error code (which appears only in liblibdevmapper.c and in kernel/DM it seems to be used only for dm-verity), alternatively we might look for another unused error code.

If no such unused error code is found, we may need to redesign the API and break the API compatibility after rc1 once again.

Edited Dec 18, 2023 by Daniel Zaťovič

Add keyring linking API placeholders for multi-key scenarios.

Merge request reports